[systemd-devel] Fedora 38 and signed PCR binding

Aleksandar Kostadinov akostadi at redhat.com
Mon Sep 11 23:55:27 UTC 2023


On Mon, Sep 11, 2023 at 2:57 PM Lennart Poettering
<lennart at poettering.net> wrote:
>
> On Mo, 11.09.23 14:48, Aleksandar Kostadinov (akostadi at redhat.com) wrote:
>
> > Hi again. I tried to boot from UKI to no avail.
> >
> > First created a "db" certificate
> > > openssl req -newkey rsa:2048 -nodes -keyout db_arch.key -new -x509 -sha256 -days 3650 -subj "/CN=My DB cert/" -out db.pem
> > > openssl x509 -outform DER -in db.pem -out db.crt
> >
> > Then uploaded it to secure boot trust VIA USB drive and the  UEFI seup.
> >
> > Then created UKI:
> > >           /usr/lib/systemd/ukify \
> > >                 /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz \
> > >                 /boot/initramfs-6.4.12-200.fc38.x86_64.img \
> > >                 --pcr-private-key=/etc/systemd/tpm2-pcr-private-key.pem \
> > >                 --pcr-public-key=/etc/systemd/tpm2-pcr-public-key.pem \
> > >                 --phases='enter-initrd' \
> > >                 --pcr-banks=sha1,sha256 \
> > >                 --secureboot-private-key=/etc/secure_boot/db.key \
> > >                 --secureboot-certificate=/etc/secure_boot/db.pem \
> > >                 --sign-kernel \
> > >                 --cmdline='ro rhgb'
> >
> > Then added a boot entry:
> > > efibootmgr -c -d /dev/sda -p 1 -l /EFI/FEDORA/UKI/VMLINUZ612.EFI -L "Fedora UKI"
> >
> > Unfortunately when trying to boot this I get:
> > > Bad kernel image: Load Error
>
> That suggests the kernel you picked does not carry a correct PE/MZ
> signature. i.e. we generate that error typically if we can#t jump into
> it because it doesn't come with the right PE headers.

This is just a standard kernel coming with Fedora 38. I didn't modify
it. Also initrd as generated by dracut.

> $ hexdump -C -n4 < /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz
> 00000000  4d 5a ea 07                                       |MZ..|
> $ file /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz
> /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz: Linux kernel x86 boot executable bzImage, version 6.4.12-200.fc38.x86_64 (mockbuild at 30894952d3244f1ab967aeda9ed417f6) #1 SMP PREEMPT_DYNAMIC Wed Aug 23 17:46:49 UTC 2023, RO-rootFS, swap_dev 0XD, Normal VGA

Any suggestions on how to fix it?

If it matters -- ukify 253 (253.7-1.fc38)



More information about the systemd-devel mailing list